Luigi Gangitano uploaded new packages for drupal6 which fixed the
following security problems:
SA-CORE-2010-001
Multiple vulnerabilities and weaknesses were discovered in Drupal.
* Installation cross site scripting
A user-supplied value is directly output during installation allowing
a malicious user to craft a URL and perform a cross-site scripting attack.
The exploit can only be conducted on sites not yet installed.
* Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An
attacker could formulate a redirect in a way that gets the Drupal site to
send the user to an arbitrarily provided URL. No user submitted data will
be sent to that URL.
* Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly. While these
usually come from a preselected list, arbitrary administrator input is
allowed. This vulnerability is mitigated by the fact that the attacker must
have a role with the 'administer languages' permission.
* Blocked user session regeneration
Under certain circumstances, a user with an open session that is blocked
can maintain his/her session on the Drupal site, despite being blocked.
For the lenny-backports distribution the problems have been fixed in
version 6.16-1~bpo50+1.
Upgrade instructions
--------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26